Subject: Re: Problems with Sendmail
From: shortpier (shortpier@shortpier.is-a-geek.com)
Date: Fri Nov 14 2003 - 06:46:46 AKST
YEP ....
Its why the old wingate software was so much fun for crackers.. IT did
not do a src check....
On the sendmail prob that started this all it would not have done any
good on the mail server (only had 1 interface I believe) It was located
in the "DMZ" that is what you mean by the "Orange" interface right?
(correct me if Im wrong guys I dont run smoothwall I just use mandrake
9.1 (customized Very far from stock) and (with a Very Customized
version of shorewall). My mail server and firewall are the same
machines so My rules check that if a 192.168.X.X packets comes in It has
to be on eth0 only not on eth1 or on a pppX interface IE src IP must
match the interface IP and can not come from the internal routing
table. The only caveat I have to that rule is I have a VPN running to a
client and it does accept packets from his subnet as long as they come
in on tunX. Anything else it Drops like an old girlfriend who is
stalking you........
This make it any clearer is my Weird way....?
Shortpier
On Sat, 2003-11-15 at 23:17, Barsalou wrote:
> I guess that would also mean that I should be droping any packets that
> come in on the external interface that don't have a source or
> destination IP of my host. If my IP is X and the packet IP's are Y and
> Z and my machine is being used as a gateway...normally it would
> route...unless I explicitly stop that....correct?
>
> Is that a forwarding rule or what?
>
> Mike
>
> On Fri, 2003-11-14 at 04:29, shortpier wrote:
> > Mike
> > Yep you got it right
> >
> > As Long as the gateway is a routeable addy all the routers in between
> > will ignore all other IP info beacuse the packet is sent to the
> > gatewaythen the gateway decides the route. This is NOT a spoof But a
> > badly set up NAT/Private IP system. True spoofing takes place at the
> > packet level and is a motherF**ker to protect agains.. You have to
> > capture that packets "inflight" And with most spoofs you look at the
> > hosts that the packet has passed through and the second addy from the
> > "origin" is normally the true ip of the sender. Refrence the
> > teardrop/nestea exploits that used to Bulescreen Win95/98 first edition
> > and use 100% CPU time on NT4 (ip packet fragment bug in BSD TCPIP that
> > Linux and M$ were useing in those days.
> >
> > /me does not know why people would like Teardrop................
> >
> > Ah to be young again
> >
> > Shortpier
> > On Sat, 2003-11-15 at 21:46, Barsalou wrote:
> > > I think I finally get it....if I have box A and I want to spoof traffic,
> > > I can use Box B where ever it is in the world as my gateway and
> > > therefore if it is broken in the way it routes, I can spoof the
> > > source/destination address and the routers between me and that box won't
> > > care....they will just blindly pass the packet on to the gateway...do I
> > > understand what you are saying?
> > >
> > > Mike
---- Attached file included as plaintext by Listar -- -- File: signature.asc -- Desc: This is a digitally signed message part
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQA/tPjlNyWzwlj5xp4RAnOmAJ9lKaprXEBdt8uUyTeEWBJVAOz1XgCgsnY6 /1C3JWHb68/iG04rZFwBwhI= =UVN5 -----END PGP SIGNATURE-----
--------- To unsubscribe, send email to <aklug-request@aklug.org> with 'unsubscribe' in the message body.
This archive was generated by hypermail 2a23 : Sun Nov 16 2003 - 00:20:29 AKST